Security for Beginners
by Sergey Okinchuk
The Malware FamilyHow Malware Gets In and What It Does
Topic 27

Ransomware: Encryption Turned Against You

Concept

Ransomware is the malware behind the headlines about shut-down hospitals and frozen fuel pipelines. It works by turning a tool for good against you: it scrambles your files so you can't open them, then demands payment to unscramble them. Everything Olivia learned about encryption earlier — locking information so only the right person can read it — is exactly what makes ransomware so hard to fight.

Ransomware is malware that encrypts your files and then demands a payment, the ransom, in exchange for the key that unlocks them. The lock is real, not a trick, and the attacker is the only one holding the key.

Think of a burglar who takes nothing from your house. Instead, they weld an unbreakable lock onto your front door and then offer to sell you the only key. Your possessions are still right there, untouched — you just can't reach them. Ransomware lives entirely in that gap between "still there" and "can't reach it."

How a ransomware incident unfolds — and the way out
Files readableworking normally
Ransomware encryptsfiles locked in place
Ransom demandpay for the key
Restore from backupthe reliable way out

What Ransomware Does

When ransomware runs on a device, it encrypts the files it can reach — documents, photos, spreadsheets, sometimes whole systems. Encrypting here means scrambling each file with a secret key so it becomes unreadable noise. The files are still sitting on the disk, but without the key they may as well be gone.

This is an attack on availability — one of the three things security protects, the goal of having your information there when you need it. The data hasn't been stolen, and it isn't gone — it has simply been locked away where no one can use it. A business whose files are all locked at once can grind to a halt in minutes.

Why It Is So Damaging

The cruel part is that the encryption is the real, proper kind. Done correctly, encryption can't be undone without the key — that is the entire reason it works as a defense everywhere else. Ransomware borrows that same strength and points it at you.

So if Olivia's only copy of a file is the one that got encrypted, and the attacker holds the only key, the file may be genuinely unrecoverable. There is no clever trick to reverse strong encryption from the outside. That is why ransomware is so feared: the lock that protects honest data is just as unbreakable when it is working against you.

The Modern Twist: Double Extortion

Newer ransomware adds a second threat. Before locking the files, the attackers quietly copy them first. Now they have two forms of pressure: they can keep your files locked, and they can threaten to publish your private data unless you pay. This pairing is called double extortion.

The nasty consequence is that paying for the key no longer makes the problem go away. Even if your files are unlocked, the attacker still has a copy of your confidential data — so a breach of secrecy has already happened, and paying can't un-happen it.

Classic ransomware vs double extortion
Classic Ransomware
Files are locked on your own system. Attacker holds the decryption key and demands payment. Paying returns the key — but there is no guarantee it works.
Double Extortion
Attacker copies your files first, then locks them. Even after paying for the key, they still hold a copy — the secrecy breach has already happened and can't be undone.

Why Backups Are the Real Answer

If the attacker's power comes from holding the only key to your files, that power disappears the moment you have another copy. A backup — a separate, spare copy of your files kept somewhere safe — lets you rebuild your data without ever dealing with the attacker. You restore from the backup and walk away.

For a backup to survive ransomware, it has to be out of the malware's reach — ideally offline or otherwise separated, so it doesn't get encrypted along with everything else. This is the direct reason backups get their own topic later in the course: against ransomware, a clean backup is the difference between restoring and paying-and-hoping.

Common Confusions
  • "Paying the ransom guarantees I get my data back." It guarantees nothing. The key you are sent may not work, the attacker may simply vanish, and you have now funded them and marked yourself as someone who pays.
  • "Ransomware steals my files." Classic ransomware locks your files in place with encryption — they never leave. Newer double-extortion attacks also steal a copy, but the original, defining move is locking, not taking.
  • "Good antivirus means ransomware can't hurt me." Antivirus helps, but no filter catches everything. The defense that actually saves your data is a clean backup, because it lets you restore without the attacker's key.
Why It Matters
  • Ransomware is the clearest example of a protective tool, encryption, being turned into a weapon — proof that tools are neutral, and what matters is who holds the key.
  • It makes the case for backups concrete: a spare copy out of the attacker's reach is what turns a disaster into an inconvenience.
  • It shows why "did anything get stolen?" is not the only question — locking data in place is itself a serious attack, the kind that takes whole organizations offline.

Knowledge Check

What does classic ransomware actually do to a victim's files?

  • It encrypts them so they can't be opened, then demands payment for the key
  • It permanently deletes them so no recovery is ever possible
  • It secretly edits numbers and metadata in your files while staying hidden, so you won't notice anything changed
  • It copies your keystrokes to watch what you type

A company's files are all encrypted by ransomware and the business stops working. Which part of the CIA triad has been attacked?

  • Availability — the data is unreachable when it's needed
  • Confidentiality — an outsider was able to read your private data and could now share it with anyone
  • Integrity — the contents were quietly changed
  • None — locked files aren't a security problem

Why is paying the ransom an unreliable way to get your files back?

  • The key may not work, the attacker may vanish, and you've funded them either way
  • It only fails if the ransom demand is set too low for the attacker to consider it worth responding to
  • Paying always works, it just takes several weeks to arrive
  • It fails only if your antivirus blocks the unlock file

What makes a clean backup the strongest defense against ransomware?

  • A spare, separate copy lets you restore without the attacker's key
  • It stops the ransomware from ever reaching your files by blocking it before it can run on the device
  • It can decrypt the locked files without any key
  • It only helps if it sits on the same disk as the originals

In a double-extortion attack, why doesn't paying for the key fully solve the problem?

  • The attacker already copied your data, so a secrecy breach has already happened
  • Because the decryption key the attacker sends you in these attacks will not actually unlock your encrypted files
  • Because the payment takes too long to reach the attacker
  • Because double extortion only locks half of your files

You got correct